1. Field of the Invention
The present invention relates to a web application, and more particularly, to an information processing apparatus, an information processing system, and a computer program for realizing a web application provided with measures for vulnerabilities.
2. Description of the Related Art
Due to a recent development and popularization of networking technologies and web technologies, web technologies are used not only in Internet services such as on-line shopping but also incorporated in equipment such as multifunctional peripherals (MFPs). For example, an MFP is provided with a web interface for performing settings, so that various settings can be performed to the MFP via a web browser easily and conveniently.
At the same time, recently, there have been some concerns about vulnerabilities that are unique to web applications. Various vulnerabilities, such as structured query language (SQL) injections, cross-site scripting (XSS), and cross-site request forgeries (CSRF), are known. A CSRF is a vulnerability in which, when a web browser accesses a malicious page, a JavaScript (registered trademark) or the like is executed, and the browser is caused to post a malicious parameter on a web user interface of an MFP. At this time, because a cookie stored in the browser is used, the access is accepted as a legitimate hypertext transfer protocol (http) session.
These vulnerabilities unique to web applications are causing problems not only in Internet services such as on-line shopping but also in incorporated equipment such as MFPs. For example, in the case of an MFP, various settings in an MFP could be changed by a CSRF acting as if the request is made by a legitimate administrative user.
Known measures for the CSRF vulnerability from the viewpoint of web application designers are an approach asking a user to enter authenticating information such as a user identification (ID) and a password, and an approach exchanging a message appended with a one-time or fixed authentication token as well as a cookie, for example. In the approach using an authentication token, the server manages a character string that is difficult to assume. The character string is then set in an input form as a hidden parameter or the like, and the consistency of the parameter is checked.
Known as another conventional technology as a measure for the vulnerabilities unique to web applications is that disclosed in Japanese Patent Application Laid-open No. 2010-113566. Japanese Patent Application Laid-open No. 2010-113566 discloses a configuration that is intended to improve robustness of a web application against attacks over a network, and prevents attacks by causing a session to bypass a hook process, without modifying the source code of the web application. More specifically, in the configuration disclosed in Japanese Patent Application Laid-open No. 2010-113566, when a process request is received over a network, a process insertion control unit hooks to the requested process at predefined timing in response, and interrupts the process with a predetermined process at that timing. A privilege inspecting unit then determines, in response to a call, whether an access to a process executing unit is permitted based on first definition information defining privileges for accessing resources for each type of access and each request for the process.
As explained above, various CSRF vulnerability measures are known in conventional technologies as well. However, the approach asking a user to enter authenticating information is disadvantageous from the viewpoint of a user, because it is cumbersome for a user to enter the authenticating information again, although the user has already been authenticated in a log-in screen. In the conventional technology using an authentication token, an authentication token for validating requests needs to be generated and stored in the memory for each user. Therefore, the memory efficiency is reduced, disadvantageously. A reduced memory efficiency is an issue especially in incorporated equipment such as MFPs with limited resources, and in a web application processing a large amount of pages and to which a numerous number of users sign in. Furthermore, despite the technology disclosed in Japanese Patent Application Laid-open No. 2010-113566 provides a measure for the CSRF vulnerability, the technology is incapable of improving the memory efficiency.
The present invention is made in consideration of such issues in the conventional technologies, and an object of the present invention is to provide an information processing apparatus, an information processing system, and a computer program that can validate a request without requiring an authentication token for validating a request to be stored separately in a memory for each user, and without forcing a user to perform a cumbersome operation of entering authenticating information.